3

We've recently encountered a problem in a Classic ASP application which relies upon a set of C# COM components, and have identified that the changes introduced in KB4338419 have broken something for us!

We have reduced the problem down to the essentials:

Created the simplest possible C# COM library:

using System;
using System.Runtime.InteropServices;

namespace TestComObject
{
    [ComVisible(true)]
    [Guid("B5C7370F-0EB5-4279-885C-9C169F9CBAA5")]
    [ClassInterface(ClassInterfaceType.None)]
    public class Class1
    {
        public string GetString()
        {
            return Guid.NewGuid().ToString("D");
        }
    }
}

Registered it on the server using RegAsm /codebase

Created the simplest possible ASP script to consume it:

<%
    Const COM_OBJECT_NAME = "TestComObject.Class1"
    Dim co
    Set co = Server.CreateObject(COM_OBJECT_NAME)
    Response.Write co.GetString()
%>

When accessing the page, we see:

Microsoft VBScript runtime error '800a01ad'

ActiveX component can't create object

/Default.asp, line 4

The web application runs in IIS (8), under a dedicated, non-priveleged user account. The (real) code has been running just fine for years, with limited privileges. If I add the user to the Administrators group, the COM object is instantiated. As a normal user, the page/code fails. If I change the progID to a non-.Net library everything works fine

File system permissions are fine. If I write a .vbs equivalent and execute as the non-privileged user, everything works fine.

The article for KB4338419 implies that some security change was made to how .Net COM objects are instantiated or accessed, and understandably doesn't go into much detail, and I can believe we're doing something wrong or not doing something now considered essential, but I can't find any information that suggests what we should be doing!

Your help would be appreciated! Tim

TimP
  • 219
  • 1
  • 6
  • 1
    @lankymart - agreed, this is the same question and cause, although my situation is the same as others in [the other question](https://stackoverflow.com/a/51304586/10071825). For the record, we're running 64bit not 32bit, and have to run our website & application pools as a specific user identity, in order to access network shares and databases. – TimP Jul 13 '18 at 08:50
  • same question here. may have more info: https://serverfault.com/q/920671/362722 – Vetras Aug 07 '18 at 14:26

1 Answers1

6

Please see if changing your Anonymous user to match your application pool identity fixes the problem:

enter image description here

haltenberg
  • 101
  • 2
  • Why answer what is clearly a duplicate question? – user692942 Jul 12 '18 at 19:05
  • 1
    @Lankymart Didn't have enough reputation to mark it as duplicate... While I was making a screenshot to post you already flagged it. – haltenberg Jul 12 '18 at 19:11
  • This workaround did not work for us. Besides, we can no longer restart the www service after we installed the July Windows Update. If we try, the service locks in "stopping" mode forever and we have to restart the server. We had to uninstall all KB's from the July Windows Update to fix all this mess. KB4284815, KB4338815, KB4338424, KB4338419, KB4054566 – Guilherme Rudnitzki Jul 16 '18 at 16:52
  • The www service restart issue I related in my previous comment seems to be related to this problem. Please check this thread: https://forums.iis.net/t/1239061.aspx?IISRESET+results+in+W3SVC+stuck+in+stopping+status+after+July+2018+patches – Guilherme Rudnitzki Jul 16 '18 at 19:17
  • @Lankymart this isn't exactly a duplicate considering it references a different KB "virus" from Microsoft. – GreatAndPowerfulOz Jul 18 '18 at 17:45
  • @GreatAndPowerfulOz its all related same regardless of specific KB code from Windows Update. Exact same error in the same July update window. – user692942 Jul 18 '18 at 18:23
  • Thanks @haltenberg, this worked for us, we have legacy asp websites which use asp.net System.Security.Cryptography.SHA512Managed and it solved it. – Tom Jul 30 '18 at 09:30